Hi.
Please do not top-post your responses on this list.
See : http://tomcat.apache.org/lists.html#tomcat-users # 6)
-----Original Message-----
From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
Sent: Wednesday, August 31, 2016 10:53 AM
To: users@tomcat.apache.org
Subject: Re: Why is Tomcat sending "Connection: close?"
On 31.08.2016 17:50, john.e.gr...@wellsfargo.com wrote:
All,
I'm using Tomcat 7.0.70 and am having trouble understanding why Tomcat is sending "Connection:
close" in the response header as often as it is. With almost no load on the server, I get
"Connection: close" pretty much every time. The client is sending "Connection:
keep-alive" but it doesn't seem to matter. HTTP protocol is 1.1 and response code is 200.
In other cases I've seen Tomcat behave exactly the way the doc says the below
config should behave (100 requests per connection as long as the timeout is not
exceeded) but not this time.
Any idea why this is occurring or where to look to debug it? I've tried setting
breakpoints in AbstractHttp11Processor where "Connection: close" is set, but
it's not hit.
Thanks
John
Here is my connector config:
<Connector port="7124"
protocol="HTTP/1.1"
SSLEnabled="true"
maxThreads="80"
maxKeepAliveRequests="100"
keepAliveTimeout="10000"
scheme="https"
secure="true"
clientAuth="true"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2,SSLv2Hello,SSLv3"
keystoreFile="${keystoreFile}"
keystorePass="${keystorePassword}"
keyAlias="test"
truststoreFile="${truststoreFile}"
truststorePass="${truststorePassword}"
allowUnsafeLegacyRenegotiation="false"
ciphers="SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_ CBC_SHA,
SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_RC4_128_SHA, TLS_DHE_DSS_WITH_AES _128_CBC_SHA,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_
ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_EC DSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WIT H_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_C BC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH _AES_256_CBC_SHA"
/>
Sorry to ask, but are you positive that there is *nothing* between the browser
and Tomcat ? (I mean like a firewall, proxy server, etc..)
> No, unfortunately not. I put "%{Connection}i %{Connection}o" in the log
config and get
"Keep-Alive close." IOW the client sends Keep-Alive but Tomcat responds with
close.
There are a number of scenarios in which a webserver - not only Tomcat - would send a
"Connection: close" header in a response, and close the connection after sending the
response. For the gory details, see https://tools.ietf.org/html/rfc7230#section-6.3 etc..
Simplified :
- if a webserver knows in advance the size of the response body, then it would normally
send a "Content-length: xxx" header, followed by a response body of exactly that length.
In such a case also, it should normally honor the keep-alive request of the client, and
not close the connection
- if the server does not know in advance the size of the response body (e.g. it is
generated dynamically by a script or servlet or such), then it cannot send a
Content-length header in advance, and it has 2 choices :
a) use a "Transfer-encoding: chunked" method, whereby the response body is "packaged"
in successive "chunks", each with a header giving its chunk length, the sequence being
terminated by a zero-length chunk (which tells the client that this response is finished)
or
b) if it cannot use (or is forbidden to use) the above for some reason, then the only
way is to send the response body as it arrives from whatever generates it, and when that
body ends, and it has sent the whole body to the client, close the connection.
The closing of the connection then acts for the client as a signal that the response to
this request is finished (as there would be no way for the client otherwise to know if
there is more to come or not).
In such a case, if the webserver were to know in advance that this is the case (before
sending the first chunk of the response body to the client), it would be good practice for
the server to also send a "Connection: close" in the headers of the response.
So, assuming at first that there is no related bug in the Tomcat 7 code, would it be
conceivable that the webapp would somehow generate its response in such a way that
a) Tomcat does not know in advance the size of that response
and
b) Tomcat is prevented from using the "Content-encoding: chunked" method ?
I found for example this which might be relevant :
http://stackoverflow.com/questions/6299432/how-do-disable-transfer-encoding-in-tomcat-6
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org